The RansomHub ransomware operation is using a Linux encryptor designed specifically to encrypt VMware ESXi environments in corporate attacks.

RansomHub is a ransomware-as-a-service (RaaS) operation launched in February 2024, featuring code overlaps and member associations with ALPHV/BlackCat and Knight ransomware, having claimed over 45 victims across 18 countries.

The existence of a Windows and Linux RansomHub encryptor has been confirmed since early May. Recorded Future now reports that the threat group also has a specialized ESXi variant in its arsenal, which it first saw in April 2024. 

Unlike RansomHub’s Windows and Linux versions that are written in Go, the ESXi version is a C++ program likely derived from the now-defunct Knight ransomware.

Interestingly, Recorded Future has also found a simple bug in the ESXi variant that defenders can leverage to send it to an endless loop and evade encryption.

RansomHub’s ESXi encryptor

The enterprise has adopted the use of virtual machines to host their servers, as they allow for better management of CPU, memory, and storage resources.

Due to this increased adoption, almost every enterprise-targeting ransomware gang has created dedicated VMware ESXi encryptors to target these servers.

RansomHub is no exception, with their ESXi encryptor supporting various command-line options for setting an execution delay, specifying which VMs should be excluded from encryption, what directory paths to target, and more.

It also features ESXi-specific commands and options, like ‘vim-cmd vmsvc/getallvms’ and ‘vim-cmd vmsvc/snapshot.removeall’ for snapshot deletion, and ‘esxcli vm process kill’ for shutting down VMs.

The encryptor also disables syslog and other critical services to hinder logging and can be configured to delete itself after execution to avoid detection and analysis.

The encryption scheme uses ChaCha20 with Curve25519 for generating public and private keys, and encrypts ESXi related files like ‘.vmdk,’ ‘.vmx,’ ‘.vmsn,’ only partially (intermittent encryption) for faster performance.

Specifically, it encrypts only the first megabyte of files larger than 1MB, repeating encryption blocks every 11MB. Finally, it adds a 113-byte footer to each encrypted file containing the victim’s public key, ChaCha20 nonce, and chunks count.

The ransom note is written to ‘/etc/motd’ (Message of the Day) and ‘/usr/lib/vmware/hostd/docroot/ui/index.html’ to make it visible on login screens and web interfaces.

Putting RansomHub into an endless loop

Recorded Future analysts found that the ESXi variant uses a file named ‘/tmp/app.pid’ to check if an instance is already running.

If this file exists with a process ID, the ransomware attempts to kill that process and exits.

However, if the file contains ‘-1,’ the ransomware enters an infinite loop where it tries to kill a non-existent process, effectively neutralizing itself.

This practically means that organizations can create a /tmp/app.pid file containing ‘-1’ to protect against the RansomHub ESXi variant. That is, at least until the RaaS operators fix the bug and roll out updated versions for their affiliates to use in attacks.